SoylentNews is people
SoylentNews
from the CxOs-never-look-at-powerpoint-files dept.
Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file.
The method—which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit—is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload. Those methods are so widely used that many people are able to recognize them before falling victim.
Instead, the delivery technique made use of the Windows PowerShell tool, which was invoked when targets hovered over a booby-trapped hyperlink embedded in the attached PowerPoint document. Targets using newer versions of Microsoft Office would by default first receive a warning, but those dialogues can be muted when users are tricked into turning off Protected View, a mode that doesn't work when documents are being printed or edited. Targets using older versions of Office that don't offer Protected View are even more vulnerable.
"While features like macros, [object linking and embedding], and mouse hovers do have their good and legitimate uses, this technique is potent in the wrong hands," researchers from antivirus provider Trend Micro wrote in a blog post published Friday morning. "A socially engineered e-mail and mouse hover—and possibly a click if the latter is disabled—are all it would take to infect the victim."
Source: ArsTechnica
See also a report at Dodge This Security.
(Score: 4, Insightful) by jcross on Monday June 12 2017, @07:28PM (41 children)
"While features like macros, [object linking and embedding], and mouse hovers do have their good and legitimate uses..."
Can anyone give me an example of why I'd want to run a shell script on a mouse hover? This sounds like a terrible idea.
Office seems to have become another great example of the inner platform problem. It's been successful in that lots of businesses are locked into it at this point, but I imagine many of them are wishing they weren't.
(Score: 0) by Anonymous Coward on Monday June 12 2017, @07:36PM (14 children)
When a person hovers over an icon, it expands to reveal the latest data pulled straight from the company server.
I DON'T KNOW, FUCK YOU AND FUCK COMPUTING.
(Score: 2, Insightful) by Anonymous Coward on Monday June 12 2017, @08:06PM (13 children)
Fuck PHBs. Fuck anybody who wants to do anything with a computer that doesn't involve crunching numbers or retrieving information.
I want the information to be presented in plaintext UTF-8, or perhaps we need a new standard now that Unicode has an ungodly among of wingdings (now called emojis for reasons only god knows even though most of them are not emoticons). In addition to plaintext, I want simple markup documents that will refuse to display when composed by illiterates who fucking fail at grammar,* perhaps something like XHTML. I also want the possibility of quality typesetting, so we may include TeX/LaTeX and DVI documents perhaps.
Images shall be bitmaps (something similar to PNG) or vector graphics (something similar to SVG). No images shall be hyperlinks.
All software shall be launched from a command line. Illiterate fucking dipshits who can't type straight HAVE NO BUSINESS USING A GENERAL PURPOSE COMPUTER.
THAT IS IT. NOTHING MORE. I will even delete my entire movie collection and all my ripped FLACs if this can happen.
Let the businesses have a field day with DRM lockdown hardware platforms. Let everything else be gaming consoles or appliances THAT THE VENDOR IS REQUIRED BY LAW TO SUPPORT AS WHOLE PRODUCT. NO MORE GENERAL PURPOSE COMPUTERS FOR THE MASSES. These requirements will chase everybody away but those of us with a hobby or a job that involves operating a general purpose computer.
There. I feel much better now.
* I have just guaranteed that this post will have at least 1 grammatical or spelling error.
(Score: 3, Funny) by DannyB on Monday June 12 2017, @08:16PM (2 children)
Dear PHBs. Please hold out for UTF-64.
It will have Klingon, Narn, and all those other languages. And it will be out any day now.
Most of the new codespace that 64 bits will give us will be occupied by new emojis.
Then there will be new software that allows drawing any possible photo quality image by using characters from the UTF-64 codespace. There will be characters in the font that make up every possible color pattern of bits for that character such that many lines of adjacent characters in that font will draw any possible screen image.
Then we'll please to be to start of thinking UTF-256 very quickfully.
The lower I set my standards the more accomplishments I have.
(Score: 2) by takyon on Monday June 12 2017, @08:39PM
UTF-64: One Emoji Per Human
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Monday June 12 2017, @09:10PM
Personally, I think the codepoints currently assigned to emojis would be better assigned to fictional writing systems of note such as Klingon, Quenya, Narn, etc. I don't know how we'd determine noteworthiness (though perhaps this would be an exercise to occupy Wikipedia's deletionists), but Klingon would probably be the only one to pass that bar that comes to mind. Even then, for practical reasons, Klingon is more commonly romanized than represented in the corresponding writing system. (Chicken and egg problem? Perhaps allow a "private-use" block so specialty applications could represent these characters until the use of the writing system has achieved noteworthiness without sacrificing an in-use block as current Klingon fonts do?)
I want Arabic characters, Khmer characters, Hieroglyphics, Norse runes, IPA, and all manner of writing systems that humans currently use and have been used historically. There is no need for emojis beyond basic wingdings, if basic wingdings should even be included. Whether or not to include alchemical symbols I suppose I am ambivalent about. Obviously, we can't include everything as a practical matter, because then nobody would bother creating alternative typefaces once a reference typeface had been promulgated.
(Score: 2) by kaszz on Monday June 12 2017, @08:38PM (3 children)
PHBs are hired by the people with the gold (money) to outsource the control of their workers (slaves). The catch is their thinking is short sighted inside their box.
Plaintext, that must be ASCII 8-bit. And it UTF is to be used. Then it might be an idea to standardize [wikipedia.org] on some version that explicitly excludes all irrelevant and politically correct junk [wikipedia.org].
Does LaTeX/DVI include some execute code like facility? Btw, asfair LaTeX is printed into DVI which is then displayed (like postscript).
Everything that wants to execute shall have to put up a dialog box enforced by the OS or program that ask if it's okay to do X or not.
No need for DRM to lookout the sheeple. Just make it so that it takes skill to break free.
(maybe that's why Apple has to be jailbroken? :p)
Many good ideas, I had similar myself.
(Score: 1) by anubi on Tuesday June 13 2017, @03:57AM (2 children)
From what I have observed of the "business executive mentality", PowerPoint is Business-Grade software.
People like us have no business using it.
Business-Grade software is for people who can delegate all the shit so someone else. People like us are the ones who actually personally experience the ramifications of bad software, so naturally, we don't like to mess with it.
Empirical analysis: When one gets up high enough in organizational rank:
(1) Appearance trumps substance.
(2) Artfully spoken bullshit trumps sound scientific analysis.
(3) The cheapest way to do it is the best way to do it. That is the absolute minimum amount of cost to eke by the customer acceptance test. And even then, cover yourself with businesstalk legalese to make sure once the customer gets snookered, he STAYS snookered. Legal clauses are much faster to write than a sound design.
Businessmen operate on a whole different level than the common man.
I don't believe I have said a word that many working in a big organization have not already experienced.
Sometimes, I believe it is best to stop trying to shoo the moth from the fire. As long as it has its wings ( capital ), it will do anything to fly right into the flame. But once the flames burn off its wings, its one of us now, and finally can understand why things like we are concerned about are so important. As long as it has those wings, it seems inhibited to common computing sense.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by kaszz on Tuesday June 13 2017, @12:45PM (1 child)
The question is how to firewall yourself from that moth then..
(Score: 1) by anubi on Tuesday June 13 2017, @02:51PM
That seems all one can do. Its as frustrating as dealing with a teenage daughter in heat, with young boys around.
Dad knows what's apt to happen. He's seen this before. The young daughter wants to have fun.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by bob_super on Monday June 12 2017, @09:36PM
Where's the "off my lawn" mod?
(Score: 0) by Anonymous Coward on Tuesday June 13 2017, @12:35AM (2 children)
And "wingdings" are a problem because...? I might sympatize with an idea than combining characters wasn't as good of an idea as some thought it would be, but this? If you don't need those you just don't use them.
(Score: 2) by Arik on Tuesday June 13 2017, @01:26AM (1 child)
No, a text encoding system needs to encode text. It needs to encode the regular symbols used in writing the language, the alphabet/abugida or whatever, along with standard punctuation symbols. It doesn't need to encode colors, shapes etc. that's a different level of abstraction completely and it does not belong here. On the other hand one of the most important things you DO want to have here is clarify - each symbol should be distinct, clearly different from all the other symbols. UTF fails that badly, there are way too many distinct symbols with the same appearance.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Tuesday June 13 2017, @08:51AM
So, you don't like that other people can use text the way you do not like. Are you high, man?
(Score: 1) by Arik on Tuesday June 13 2017, @01:19AM (1 child)
But it's become so overrun with nonsense it almost seems like a bad idea in retrospect. ASCII wasn't perfect but at least we were spared all these wingnuts.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Tuesday June 13 2017, @07:56AM
iso8859-1 handles æøåäö just fine in eight bits, without clobbering {[]}\| like the 7-bit standards did. You only need Unicode for Chinese/Japanese/etc or if you want to mix different alphabets, such as Latin + Cyrillic.
(Score: 0) by Anonymous Coward on Monday June 12 2017, @07:42PM
Dynamically generated rollover popup content?
(Score: 3, Interesting) by Anonymous Coward on Monday June 12 2017, @07:43PM (3 children)
Outlook has also started obfuscating all links in email by redirecting through some microsoft site. This has made it impossible to safely click any link in an email.
(Score: 2) by kaszz on Monday June 12 2017, @08:06PM (2 children)
And it's not possible to get the real link without a network connection?
Ie like this:
https://www.microshaft.com/spy.php?pleblink=AjXU1DuWUCrdJDTemgLpY3vmj0C3 [microshaft.com]
Instead of:
https://www.microshaft.com/spy.php?pleblink=https%3A%2F%2Fwww.info.com%2Fspecification.pdf [microshaft.com]
(Score: 0) by Anonymous Coward on Monday June 12 2017, @08:55PM (1 child)
They chose the first way.
(Score: 3, Insightful) by kaszz on Tuesday June 13 2017, @12:47PM
Obviously every outlook.com mail needs to be shunned.
If that is not outright enforced spying.. what is.
(Score: 3, Informative) by Grishnakh on Monday June 12 2017, @07:56PM (15 children)
It's been successful in that lots of businesses are locked into it at this point, but I imagine many of them are wishing they weren't.
Well if they get infected or ransomwared or whatever and it puts them out of business, they got what they deserved. They should have made better choices.
(Score: 0) by Anonymous Coward on Monday June 12 2017, @08:08PM (4 children)
I know right? They should use Linux and TuxWriter.
(Score: 2) by DannyB on Monday June 12 2017, @08:11PM (2 children)
MS-DOS and Edlin you suggester of non-Microsoft anointed technologies.
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Monday June 12 2017, @10:11PM (1 child)
Or just use Office 2003 on airgapped PCs. Good usability, total safety.
What? There's a virus on Jim's PC? Sorry Jim, you're the only one with the key to your PC's cabinet, and we talked about sanitizing all USB drives in the training...
(Score: 2) by jcross on Monday June 12 2017, @11:37PM
It's hard to imagine the point of an office suite if you can't share the documents. I mean I guess all sharing could be done by printing, but that sucks for any kind of joint editing.
(Score: 2) by jimtheowl on Monday June 12 2017, @10:04PM
(Score: 4, Insightful) by DannyB on Monday June 12 2017, @08:08PM (9 children)
In about 1981 someone explained to me what it meant that "nobody ever got fired for buying IBM".
Background: a manager working on a project, buys IBM, and project fails.
What management says: I bought IBM, the best there is, so it shouldn't have failed. I guess this is just not possible to do.
(in an alternate universe, an explanation could be, you bought the "best" there is, it failed, and therefore you own the failure?)
Fast forward* to the 1990's: Nobody ever got fired for buying Microsoft.
( * unless you're using 8-track which has no fast forward, or some idiot 'invented' a poorly implemented FF)
Since Microsoft is a guarantee of success, everyone buys Microsoft.
Before the year 2000 it was obvious Microsoft was a security nightmare. The I Love You virus. The Code Red spreading across IIS servers like a forest fire. Directory traversal bugs in IIS -- mitigated by not allowing the dot-dot patterns in URLs. New directory traversal attacks by using character escaping. Fixed by not allowing dot-dot character escapes in URLs. New directory traversal attack by using double escaping of dot-dot characters, and taking advantage of the fact that the Windows filesystem would also do character escaping, and IIS after the first set of character escapes would not see any dot-dot patterns. IIS having buffer overflow attack if URL exceeds 8000 characters. SMB remote execution attacks. Many other attacks based on Windows being written in C / C++.
Fast forward* to today.
So yes, everyone who bought this crap absolutely deserves what they are getting today.
The lower I set my standards the more accomplishments I have.
(Score: 2) by kaszz on Monday June 12 2017, @08:46PM (8 children)
"nobody ever got fired for buying IBM" + manages and executive style people, is deep at the root as to why we have these bullshit problems. And then it went on to Microsoft because evil free OS and programs don't have a official support line or will bend to every detrimental need of every customer that didn't think through the overall situation. And of course free must be bad because you haven't pay'd for it.
Thankfully there is now a possibility apply strong Darwin to the problem ;-)
(Score: 2) by DannyB on Tuesday June 13 2017, @03:39PM (7 children)
If we're just talking about open source, I would point out that open source has already won. Microsoft's best days are behind it. Now it is a game where the glory days of monopoly are over and they have to fight for every inch -- like a real business. In order to stay relevant Microsoft is having to embrace open source because it is where the developers developers developers are at.
The Microsoft monopoly days are a blip in the history of technology an the software industry.
Open source is like the ocean tide. You can't stop it with your hands. You may be able to block some portion of the beach, such as desktop PCs, but everything else experiences the tide. Every single computer, microprocessor, microcontroller, or embedded computer application is now run by open source. ARM processors are sold by the billions while Intel chips are sold by the hundreds of millions. What OS runs on ARM chips -- not Windows, in any significant number.
The lower I set my standards the more accomplishments I have.
(Score: 2) by kaszz on Tuesday June 13 2017, @04:18PM (2 children)
It's not per CPU that matters here. But per person experience. Many people interact with work and the internet etc using Microsoft. And we still have this UEFI, DRM, TPM, Intel AMT, NVidia etc.. all sidelining open software.
(Score: 2) by DannyB on Tuesday June 13 2017, @04:29PM (1 child)
IIRC, Microsoft's browsers are no longer the majority. Or if majority, only a slim majority.
Another example of open source winning was that all of the open source browsers participated in web standardization while Microsoft actively worked against web standards in order to "microsoftize" the web. That failed.
It failed so badly that Microsoft just abandoned the IE codebase and build Edge for standards compliance. That is a great example of open source winning.
Many people may interact with the web using Edge, but it's at least standards compliant -- which Microsoft doesn't drive.
The lower I set my standards the more accomplishments I have.
(Score: 2) by kaszz on Wednesday June 14 2017, @12:53AM
I came to think of another aspect when you mentioned majority. It may be that majority is not the lone factor that is of importance but also how intelligent and knowledgeable the people using specific tools are. Those people will want to have those tools working.
(Score: 2) by Grishnakh on Wednesday June 14 2017, @03:18PM (3 children)
Every single computer, microprocessor, microcontroller, or embedded computer application is now run by open source
Where'd you get this idea?
Most business PCs still run Windows. Windows is not open-source in the slightest. There's no signs of this changing: Windows 10 with its horrid UI is here, and businesses are steadily converting.
PCs that don't run Windows are generally running MacOSX. It's not open-source either. Sure, some bits of it are, but it's not like the user can actually modify anything on their Macbook, so having a sorta-open-source kernel really doesn't mean much in practical terms. All the important user-facing stuff is locked up.
Very few people except enthusiasts run Linux on their PCs. Worse, in the last decade I've seen a lot of Linux users convert to Mac, and at best run Linux within a VM for only particular tasks.
Almost all phones run either iOS or Android. iOS is as closed-source as you can get I think. Android uses the Linux kernel, but with tons of proprietary closed-source drivers. It's a total mess (because of the closed-source drivers); it's hard to modify it or make alternative ROMs because of this issue. Parts of the rest of the OS are open-source (AOSP), but other parts are not, so building your own AOSP ROMset, if you can get past the driver issue (which basically means being stuck on a particular kernel version) means you're missing a lot of functionality that other Android users take for granted. Worse still, Google is working on eliminating the use of the Linux kernel, and changing to some other in-house kernel.
I'm sorry, but you seem completely deluded. As much as I'd like to see a bright open-source future coming soon, I don't. I see a future full of proprietary OSes and walled gardens. Before long, you won't even be able to install any software on your computer (PC or mobile device) without getting it from the vendor's app store. Windows is headed that way quickly. The sad fact is that most people just don't care about freedom, only convenience, and due to the necessity of standards and interoperability, you'll shut yourself out of society and employment if you don't follow the crowd to a certain extent.
(Score: 2) by DannyB on Wednesday June 14 2017, @06:26PM (2 children)
Dang! I meant to qualify that to exclude desktop PCs. Everything else is largely open source.
The lower I set my standards the more accomplishments I have.
(Score: 2) by Grishnakh on Wednesday June 14 2017, @06:32PM (1 child)
You didn't read my post, did you? I specifically noted both PCs and mobile devices. Hint: iOS is not open-source.
(Score: 2) by DannyB on Wednesday June 14 2017, @07:06PM
You're right. I skimmed. I didn't consider iOS. But it is NOT a majority. Android has about 4/5 of the smartphones, and rising. So my statement about the majority of non-desktop devices running open source would still seem to apply.
The lower I set my standards the more accomplishments I have.
(Score: 2) by TheRaven on Tuesday June 13 2017, @12:23PM (4 children)
sudo mod me up
(Score: 2) by jcross on Tuesday June 13 2017, @06:32PM (3 children)
Sure I get that, but what's wrong with clicking to indicate you want to do something? I feel like there's an unwritten UI contract that merely moving the cursor over something can't possibly be destructive. As soon as you break that rule, users will become afraid to explore the interface for actionable elements. Hell, even clicking shouldn't result in something irreversibly destructive, but that's a whole 'nother layer of UI design.
(Score: 2) by TheRaven on Wednesday June 14 2017, @06:09AM (2 children)
sudo mod me up
(Score: 2) by jcross on Wednesday June 14 2017, @02:01PM (1 child)
Sure, VBA I get, but the exploit in question was able to invoke PowerShell, which seems a bit much. As for restrictions for different event types, web browsers do exactly that. For example, you can follow a link via javascript, but only in a thread that originated with a click event, indicating the user expected to take some kind of concrete action. To me this makes the case for something like google docs, because despite all the holes in browsers, they're far more securely designed than almost any consumer desktop app of similar complexity.
(Score: 2) by TheRaven on Monday June 19 2017, @09:57AM
VBA can invoke PowerShell (or any other program).
But web browsers are explicitly designed to deal with hostile content and no other kind of content. Most of the time, PowerPoint documents are either from the owner of the computer or someone that they trust. That's a very different environment. The real problem is people thinking that MS Office file formats are intended for publishing, which they are not. It's like taking arbitrary LaTeX source and compiling it (which, by default, gives the document arbitrary filesystem access and the ability to run arbitrary programs), rather than reading the DVI / PostScript / PDF output.
sudo mod me up